Val, I've just found Maven projects use SHA-512. I passed through commits and found they just switched to newer parent org.apache:apache pom. I've compared our current parent pom with the latest available one (org.apache:apache:16 vs org.apache:apache:23) and then found checksum-maven-plugin was added [1] somewhen in between.
So, seems we have to switched to newer apache pom and maybe add checksum-maven-plugin to our main pom. [1] https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko < valentin.kuliche...@gmail.com> wrote: > Hi Andrey, > > This indeed sounds like the cleanest way. I don't know how much effort that > would be though. > > -Val > > On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov < > andrey.mashen...@gmail.com> wrote: > > > Maybe, we could donate to maven plugin possibility to switch to SHA-512. > > Hopefully, a new plugin version will be released before we have any > release > > candidate. > > > > Is it looks like a big deal? > > > > ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < > > valentin.kuliche...@gmail.com>: > > > > > Hi Ivan, > > > > > > No, I haven't found a way yet. SHA1 still works, but I believe we > should > > > consider using better options in future releases. > > > > > > Do you have any ideas on how to implement this? > > > > > > -Val > > > > > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <vololo...@gmail.com> > > > wrote: > > > > > > > Folks, > > > > > > > > Were you able to resolve this? > > > > > > > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < > > > > valentin.kuliche...@gmail.com>: > > > > > Hi Ivan, > > > > > > > > > > Thanks for your response. I've looked into the PGP plugin, and > > > > > unfortunately it looks like it only can create signatures, but not > > > > > checksums. > > > > > > > > > > -Val > > > > > > > > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov < > > bessonov...@gmail.com> > > > > > wrote: > > > > > > > > > >> Hi, > > > > >> > > > > >> I've never done this before, but it seems like we need > > > maven-gpg-plugin > > > > >> for > > > > >> it [1]. > > > > >> > > > > >> Algorithm configuration would look like this: > > > > >> <gpgArguments> > > > > >> <arg>--digest-algo=SHA512</arg> > > > > >> </gpgArguments> > > > > >> > > > > >> Maybe this will help. > > > > >> > > > > >> [1] > > > > >> > > > > >> > > > > > > > > > > http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html > > > > >> > > > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < > > > > >> valentin.kuliche...@gmail.com>: > > > > >> > > > > >> > Igniters, > > > > >> > > > > > >> > I've been preparing the 3.0.0-alpha1 release and got confused > > about > > > > the > > > > >> > requirements for checksums in Maven deployments. The Apache > > > > instruction > > > > >> [1] > > > > >> > states that MD5 is deprecated and SHA1 should be avoided in > favor > > of > > > > >> > SHA-256 or SHA-512. However, it looks like we are still using > the > > > > >> MD5/SHA1 > > > > >> > combination (at least that's what the staging for 2.9.1 [2] > > > contains). > > > > >> > > > > > >> > On top of that, I can't find an easy way to switch to another > > > checksum > > > > >> > - > > > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically > > and > > > > >> > doesn't seem to have any options to tweak this behavior. > > > > >> > > > > > >> > That said, I have two questions: > > > > >> > > > > > >> > 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? > > > > >> > 2. Is there a painless way to include SHA512 in addition to > > > > >> > MD5/SHA1? > > > > >> > > > > > >> > Can anyone shed some light on this? > > > > >> > > > > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts > > > > >> > [2] > > > > >> > > > > > >> > > > > > >> > > > > > > > > > > https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ > > > > >> > [3] > > > > >> > > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html > > > > >> > > > > > >> > -Val > > > > >> > > > > > >> > > > > >> > > > > >> -- > > > > >> Sincerely yours, > > > > >> Ivan Bessonov > > > > >> > > > > > > > > > > > > > > > > > -- > > > > > > > > Best regards, > > > > Ivan Pavlukhin > > > > > > > > > > -- Best regards, Andrey V. Mashenkov
